How Can We Secure the Internet of Things (IoT)? Learn From History

Once again, as we started 2015, a hot trend that grabbed everyone’s attention was the growing buzz around the Internet of Things (IoT). The concept is that virtually every device will have an IP address, including refrigerators, cars, pacemakers and wearable tech.

Depending upon who you listen to, and/or which conferences you attend, IoT will either bring about amazing new opportunities or be the end of all privacy and security as we know it.

For one example on the positive side, Google CEO Eric Schmidt predicted last month that the “Internet will disappear.”

The Washington Post explained that he meant that: “The Internet will be seamlessly integrated into our lives, by way of a lot of connected devices and sensors.”

One IoT goal: Instant access to every aspect in our connected homes. For example, you can turn up the heat (or air conditioning) and start cooking the casserole in the oven — while driving home from work.

Looking a bit further out, your robot vacuum cleaner can tidy up the family room while you’re at work. Or imagine doctor’s visits from the comfort of home or clothes that report your blood pressure is too high.

For CIOs, how about systems that are smart enough to talk to customer’s scheduling assistants (which are really the new personal computers or smartphones). My Memorial Day weekend campground reservation could be made on the first possible day nine months in advance, while my kids are getting ready to go back to school.

Sound awesome? For many in society, the answer is probably yes. But it also raises the question: How can we possibly secure…, everything?

A Dark Side of IoT?

Shortly after the Google CEO made his Internet prediction, 60 minutes aired a new program which demonstrated how car brakes and more can be hacked via WiFi – right now. This program was so alarming that my 91 year old mother called me from across the country to ask if it was really true.

Check this video clip out to see what I mean:

So which one is it? Is IoT an exciting innovation or a trend to be feared?

Learning From History:

Can we possibly secure the IoT if we can’t even secure the current Internet?

Before we address that question, I’d to look back at security lessons from the past two decades. Let me start with a comment I left regarding a PC Magazine article on IoT back in December 2013:

I’m always amazed at how history keeps repeating itself in the world of computer security. Think back: operating systems, apps, smartphones, cloud computing and more — released with known vulnerabilities.

More than a decade ago, Microsoft (and other leading high-tech companies) declared that security will be job No. 1, and yet industry continues to release new products and “complete” services without adequate security protections.

Why? The rush to market. Because it pays off in the short term. And because consumers like to buy the latest “cool thing” without a second thought. No doubt, doing the right thing is harder and can slow things down — but no one ever uses that argument when considering good brakes in a car.

Here’s a prediction for you: Someone will write “an insightful article” for Wired magazine three years from now about how we should have thought to build security into XYZ hot new device way back when.

Near the beginning of that article, we’ll see words similar to: “We never really thought about security when we first introduced the XYZ product.”

And I’ll say, “Really?”

One silver lining: a vibrant cybersecurity industry for decades to come.

SOLUTIONS, PLEASE

Some cybersecurity pragmatists prefer not to talk about the Internet of Things — yet. They’d rather focus on current cyberthreats — from ransomware to spear-phishing scams to denial-of-service attacks to whatever else is hot. They point out that general discussions about cloud or mobile security are too broad to make a real difference.

It may surprise you that I am sympathetic to this argument. Since the bad guys are already way out in front of the good guys today, why discuss the implications of future technologies? Pragmatists go further by saying that we will never fully secure the Internet of Things, because we can’t even secure the current Internet.

When I see the claims and counter-arguments being made about IoT, it reminds me of the early days of cloud computing, BYOD and even WiFi. People are still asking: Can we secure the cloud?

The simply answer is no – for the entire cloud. Still, you can secure your cloud. We can secure individual computer systems and applications connected to the Internet in your situation. You can secure your corner of cyberspace.

What does this look like? Researchers who are building the smart grid are thinking through the supply chain and the manufacturing sources of components. Network providers build in access controls and enterprise security that is smarter and easier to use for families.

Another answer is for all consumer electronics companies to get specific with protections as they roll out new products and services.

And IT leaders must build security provisions and cyber protections into current and new contracts. From relationships with banks to the purchase of utility services, public-sector business leaders can make a difference. The best way to influence the privacy of today’s citizen data and the future Internet of Things is by strengthening the legal requirements in the current procurement process.

Are we going to learn from the past? CIOs and CISOs cannot “just say no” to IoT, they must prepare and enable secure solutions for their customers. We can learn from the brief history of cyberspace.

Final thought: Abraham Lincoln once said, “You cannot escape the responsibility of tomorrow by evading it today.”

Any earlier version of this article appeared last year in Government Technology Magazine at: https://www.govtech.com/security/Can-We-Secure-the-Internet-of-Things.html

If you liked this blog, please share it with your network and click like or leave a comment. You can follow Security Mentor on Twitter: @SecurityMentor

You can follow Dan Lohrmann on Twitter: @govcso

Dan Lohrmann's Government Technology Magazine blogs are at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/